Generates an IAM policy for the CloudFormation base describe-type's schema
Project description
cfn-giam
Automatically generate the required IAM policies from your Cloudformation file
Manual procedure
- Open AWS Cloudshell or any terminal configured with aws cli.
- Install cfn-giam
pip3 install cfngiam
- Check the IAM Policy required to execute the cloudformation file or folder
cfn-giam -i $yourcfn -o $exportfolder
cli options
CLI option | Description | Require |
---|---|---|
-i, --input-path | Cloudformation file, folder or url path having Cloudformation files. Supported yaml and json. If this path is a folder, it will be detected recursively. | yes or -l |
-l, --input-resouce-type-list | AWS Resouce type name list of comma-separated strings. e.g. "AWS::IAM::Role,AWS::VPC::EC2" | yes or -i |
-o, --output-folderpath | Output IAM policy files root folder.If not specified, it matches the input-path. Moreover, if input-path is not specified, it will be output to the current directory. | no |
-p, --policy | Set the name of the IAM Policy to be created on AWS. | no |
-r, --role | Set the name of the IAM Role to be created on AWS. | no |
-v, --version | Show version information and quit. | no |
-V, --verbose | give more detailed output | no |
--help | Show a help synopsis and quit. | no |
cli examples
Cloudformation file
cfn-giam -i ./CFn/example.yml
cfn-giam generates to "./CFn/example.json"
Cloudformation folder
cfn-giam -i ./CFn -o ./dist
cfn-giam generates to "./dist/CFn/example.json" cfn-giam generates to "./dist/MasterPolicy.json"
Cloudformation url file
cfn-giam -i https://s3.ap-northeast-1.amazonaws.com/cloudformation-templates-ap-northeast-1/Windows_Single_Server_SharePoint_Foundation.template
cfn-giam generates to "./Windows_Single_Server_SharePoint_Foundation.json"
Cloudformation resouce type list
cfn-giam -l AWS::EC2::Instance,AWS::EC2::SecurityGroup,AWS::EC2::Instance
cfn-giam generates to "./Windows_Single_Server_SharePoint_Foundation.json"
Automatical procedure
1. Fork to your Github account from this repository
2. Create IAM Role and IAM ID Provider for Github Actions
- Open Cloudformation on your AWS Account.
- Create stack from GithubOIDCRole-ReadOnly.yml.
- Make a note the Roke-Arn created from stack and region's name having stack.
3. Register Role-Arn and region name to Github sercrets
- View Github Actions page on your repository.
- Register following list to Github secrets.
- NAME: AWS_REGION, VALUE: your region's name having stack
- NAME: ROLE_ARN, VALUE: your Roke-Arn created from stack
4. Commit and Push your Cloudformation file
- Add your Cloudformation file in CFn folder.
- Commit and Push your repository.
5. Check artifacts on Github Actions
- View Github Actions page on your repository.
- Make sure the latest "Check the IAM Policy workflow" is successful.
- Open the latest workflow.
- Download artifact on the latest workflow.
Others
Github Actions thumbprint
Github Actions thumbprint changes from time to time.
e.g. Changelog
In that case, Update to GithubOIDCRole-ReadOnly.yml after get new thumbprint with GetGithubOIDCThumbprint.sh.
sh GetGithubOIDCThumbprint.sh
Not support Resouce types
Not support Resource types |
---|
AWS::AmazonMQ::Broker |
AWS::AmazonMQ::Configuration |
AWS::AmazonMQ::ConfigurationAssociation |
AWS::ApiGateway::DocumentationPart |
AWS::ApiGateway::RestApi |
AWS::ApiGateway::VpcLink |
AWS::ApiGatewayV2::Api |
AWS::ApiGatewayV2::ApiGatewayManagedOverrides |
AWS::ApiGatewayV2::ApiMapping |
AWS::ApiGatewayV2::Authorizer |
AWS::ApiGatewayV2::Deployment |
AWS::ApiGatewayV2::DomainName |
AWS::ApiGatewayV2::Integration |
AWS::ApiGatewayV2::IntegrationResponse |
AWS::ApiGatewayV2::Model |
AWS::ApiGatewayV2::Route |
AWS::ApiGatewayV2::RouteResponse |
AWS::ApiGatewayV2::Stage |
AWS::ApiGatewayV2::VpcLink |
AWS::AppConfig::Application |
AWS::AppConfig::ConfigurationProfile |
AWS::AppConfig::Deployment |
AWS::AppConfig::DeploymentStrategy |
AWS::AppConfig::Environment |
AWS::AppConfig::HostedConfigurationVersion |
AWS::AppMesh::GatewayRoute |
AWS::AppMesh::Mesh |
AWS::AppMesh::Route |
AWS::AppMesh::VirtualGateway |
AWS::AppMesh::VirtualNode |
AWS::AppMesh::VirtualRouter |
AWS::AppMesh::VirtualService |
AWS::AppStream::DirectoryConfig |
AWS::AppStream::Fleet |
AWS::AppStream::ImageBuilder |
AWS::AppStream::Stack |
AWS::AppStream::StackFleetAssociation |
AWS::AppStream::StackUserAssociation |
AWS::AppStream::User |
AWS::AppSync::ApiCache |
AWS::AppSync::ApiKey |
AWS::AppSync::DataSource |
AWS::AppSync::FunctionConfiguration |
AWS::AppSync::GraphQLApi |
AWS::AppSync::GraphQLSchema |
AWS::AppSync::Resolver |
AWS::ApplicationAutoScaling::ScalableTarget |
AWS::ApplicationAutoScaling::ScalingPolicy |
AWS::AutoScaling::AutoScalingGroup |
AWS::AutoScaling::ScalingPolicy |
AWS::AutoScaling::ScheduledAction |
AWS::AutoScalingPlans::ScalingPlan |
AWS::Batch::JobDefinition |
AWS::Budgets::Budget |
AWS::CertificateManager::Certificate |
AWS::Cloud9::EnvironmentEC2 |
AWS::CloudFormation::CustomResource |
AWS::CloudFormation::Macro |
AWS::CloudFormation::Stack |
AWS::CloudFormation::WaitCondition |
AWS::CloudFormation::WaitConditionHandle |
AWS::CloudFront::StreamingDistribution |
AWS::CloudWatch::Alarm |
AWS::CloudWatch::AnomalyDetector |
AWS::CloudWatch::Dashboard |
AWS::CloudWatch::InsightRule |
AWS::CodeStar::GitHubRepository |
AWS::Cognito::IdentityPool |
AWS::Cognito::IdentityPoolRoleAttachment |
AWS::Cognito::UserPool |
AWS::Cognito::UserPoolClient |
AWS::Cognito::UserPoolDomain |
AWS::Cognito::UserPoolGroup |
AWS::Cognito::UserPoolIdentityProvider |
AWS::Cognito::UserPoolResourceServer |
AWS::Cognito::UserPoolRiskConfigurationAttachment |
AWS::Cognito::UserPoolUICustomizationAttachment |
AWS::Cognito::UserPoolUser |
AWS::Cognito::UserPoolUserToGroupAttachment |
AWS::Config::ConfigRule |
AWS::Config::ConfigurationRecorder |
AWS::Config::DeliveryChannel |
AWS::Config::OrganizationConfigRule |
AWS::Config::RemediationConfiguration |
AWS::DAX::Cluster |
AWS::DAX::ParameterGroup |
AWS::DAX::SubnetGroup |
AWS::DLM::LifecyclePolicy |
AWS::DMS::Certificate |
AWS::DMS::Endpoint |
AWS::DMS::EventSubscription |
AWS::DMS::ReplicationInstance |
AWS::DMS::ReplicationSubnetGroup |
AWS::DMS::ReplicationTask |
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
cfngiam-0.4.5.tar.gz
(11.9 kB
view hashes)
Built Distribution
cfngiam-0.4.5-py3-none-any.whl
(11.9 kB
view hashes)